Add RestrictAddressFamilies and SystemCallFilter
This commit is contained in:
parent
1ac3a1c1f7
commit
f1ec6a6c85
1 changed files with 2 additions and 1 deletions
|
@ -16,6 +16,7 @@ ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1
|
|||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
DevicePolicy=closed
|
||||
|
@ -24,7 +25,7 @@ ProtectControlGroups=yes
|
|||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
LockPersonality=yes
|
||||
|
||||
SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap
|
||||
|
||||
# Denying access to capabilities that should not be relevant for webapps
|
||||
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
||||
|
|
Loading…
Reference in a new issue